The Life and Times of Jeff Squyres

December 2005 Archives

December 2, 2005

Verizon anti-spam measures

My mail server (squyres.com) had been suffering for about a month; verizon.net would reject about 50% of the mail that was sent to it. It took us about 4-6 weeks to figure out why. It turns out that a) Verizon has rabid anti-spam measures, b) the specific measures that they take are not published (as of today, 2 Dec 2006, at least), and c) it is extremely difficult to find out why Verizon is blocking you. So I’m posting this in the hopes that it helps other, legitimate ISPs get unblocked from Verizon.

In short, here’s what you need:

An MX record for your domain

Your mail server to accept mail to the sending address for all outgoing mail

Without these two things, you’ll be blocked from sending to any verizon.net recipients. Specifically, they won’t be blocking the IP address of your server, but the incoming message will fail what’s called domain verification, and therefore they’ll reject the message with an SMTP 550 message. Their domain verification step does two things:

Check that the sending address on the incoming message has an MX record

Connect to the server listed in the MX record and start a message to the sender of the incoming message (specifically, EHLO verizon.net / MAIL FROM: <> / RCPT TO: address_from_the_incoming_message).

Yes, I know that this is above and beyond IETF RFC conditions. So does Verizon. But they do it anyway, so if you want mail delivered to them, you need to meet these conditions.

For squyres.com, we have 2 external e-mail server names: squyres.com and lists.squyres.com. squyres.com has long-since had an MX record, but lists.squyres.com has never had one (because we didn’t need one). So any mail sent from lists.squyres.com, by default, failed Verizon’s domain verification. So we added an MX record for lists.squyres.com… but mail still kept getting rejected.

Quite embarrassingly, it turns out that we had a misconfiguration in our mail server such that the address that GNU Mailman sends mail from (i.e., <listname>-bounces@lists.squyres.com) did not accept incoming mail. Not only was this mucking up Mailman’s internal bounce processing, even once we added an MX record, we still failed Verizon’s domain verification. Doh.

After 4-6 weeks of total non-replies from Verizon (“Check the SMTP settings in your mail client”, “We’re not blocking your IP address” [that was true, but totally unhelpful in solving the problem], …etc. My favorite was “There is nothing more that we can do to help you.”), we finally — quite by accident — got an extremely responsive support tech named Shawn T. He’s not even in the same support groups that we initially appealed to (I believe he’s in the DNS support group — a misguided front-line tech referred us to him when they heard the keyword “DNS”). Shawn got “interested” in our problem, and although he didn’t know all the answers right away, he stuck with us and figured it out. He even put us directly in touch with the anti-spam group (which, to my knowledge, is totally unheard of).

The last tech that we were on the phone with (Brandon, in the anti-spam group), was literally working on the main Verizon anti-spam gates as we were talking to him (e.g., he had to clear our IP address from the “bad” cache on all the incoming servers). He was quite helpful — and tolerant (when we discovered the fact that lists.squyres.com was rejecting mail for the <foo>-bounces@lists.squyres.com addresses).

And before you ask, no, I don’t have the contact information for any of these techs, so I can’t contact them for you, nor can I give you their phone numbers. Sorry. :-(

So if you’re an ISP and you think you’re being blocked by Verizon, first check the 2 things that I listed above. If you’re absolutely sure that those conditions are met (and be sure to wait up to 2+ days for DNS propagation if you just created an MX record), then double check them by telnetting to port 25 on your server and trying to send mail to the return address manually. If that all checks out properly, then wait 6 hours and try again — Verizon’s cache of “we rejected you” lasts for 6 hours. So if you muck up and get rejected, then you have to wait for the cache to clear out before trying again.

If all else fails, try visiting their whitelist form: http://www.verizon.net/whitelist/ This is where we started, and although it took a few weeks, we did get in touch with the Right people and found out what was required to get our mail to Verizon recipients (I told both Shawn and Branden that the should publish these 2 domain verification conditions somewhere — the whitelist form seems like an appropriate place. They said that was a good idea; hopefully it’ll show up there someday).

So to conclude my story, major huge thanks to Shawn and Brandon from a random tiny ISP out in the internet wilderness. Once we got ahold of you, you were extremely helpful in solving our problem. I hope you get raises.